Bill Jonas on Sun, 4 Nov 2001 20:50:27 +0100


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] [linux] Shell script madness (fwd)


On Fri, Nov 02, 2001 at 09:25:24AM -0500, gabriel rosenkoetter wrote:
> priveleges (just run that one program) or to write a known-safe
> suid wrapper (written in C or another compiled language) for this
> binary.

I'll share something that mct helped me with.  I forget why I wrote
this; I think that I was going to write a masquerading identd or some
such nonsense in Perl but didn't want to give it root privileges to read
the IPNat tables (on OpenBSD).  Anyway, here's the C program:

#include <stdio.h>
#include <unistd.h>

int main (void)
{
    setuid(0); seteuid(0); setgid(0); setegid(0);
    execl("/sbin/ipfstat", "ipfstat", "-s", (char *)0);
    perror("Exec failed");
    exit(1);
}

Notice on the execl line that the command is repeated; once for the path
to the program, and I believe the second time is for its zeroth
argument, ie, what will show up in the process table.  This is followed
by the program's arguments, one at a time, enclosed in double quotes and
separated by commas.  Your call to execl might look something like 
'execl("/usr/local/bin/chronyc", "chronyc", (char *)0);'.  I'm not sure
how to pass things in on stdin, but command-line options would be like
above (ie, 'execl("/usr/local/bin/chronyc", "chronyc", "--password",
"blablabla", "online", (char *)0);' if that would work).

You'd want to set the resulting binary to ownership by root.somegroup,
add the users you wish to be able to run it to somegroup, and set it to
mode 4110.  If you don't want to do do the group-permissions thing, you
could add UID checking to an if statement wrapping the call to execl.

Now, I'm sure that gr will poke holes in this ;) (actually, I wouldn't
mind some constructive criticism; I'm not yet a C programmer but aspire
to be and haven't yet gotten around to it), but it seemed to work okay.
I never did get around to the project that this was created for.

-- 
Bill Jonas    *    bill@billjonas.com    *    http://www.billjonas.com/

Developer/SysAdmin for hire!   See http://www.billjonas.com/resume.html

______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug